With all the concern about online theft, why do we trust online
merchants at all? For that matter, why do we trust people we've met on
facebook, etc?
Technological issues & trust: can we at least trust that we're talking to the person we think we're talking to?
Old-style PGP (Pretty Good Privacy) trust:
You need to VERIFY people's public keys (that the key matches the
person). Otherwise you can get a bad key, write to them using it, and
be victim of a man-in-the-middle attack.
(public key crypto: each person has a public key and a private key. If
someone encrypts a message to you with your public key, you can decrypt
it with your private key. Similarly, if you encrypt something with your
private key, anyone can decrypt it with your public key, and in the process verify that it was encrypted with your private key. That last bit means that the message can act as your DIGITAL SIGNITURE.)
How can we be able to TRUST our keys?
Alice needs Bob's key.
SSL certificates (TLS certificates)
SSL = secure socket layer, old name
TLS = transport-layer security, new name
Any pair of entities can negotiate a session key:
You're guaranteed a random key provided the other side does not see your bits before choosing theirs. There are protocols to enforce that (eg exchanging encrypted bits and then exchanging special keys to decrypt them)
BUT: how do you know you're not about to give your credit card to a bad guy with whom you've just created a session key?
What does this have to do with TRUST?
Do you trust the CAs listed in your browser? Huh? Have you even heard of any of them?
Edit => Preferences => Advanced => Encryption => View Certs
Of course, one of the real reasons we trust online commerce -- that we have relatively few bad experiences -- is
related to all this encryption in that it makes it much harder for bad
guys to eavesdrop. (The most likely location for bad guys, btw, is
either in your house or on your local cable loop.)
Note this is powerless against phishing attacks
Although the new Extended Valuation SSL Certs might. Might.
Back to why we trust online vendors:
Overall, it seems that lack of bad past experience has the most to do with why we trust. This seems to be the case with face-to-face and brick-and-mortar relationships just as much as with online situations.
What about personal sites? (Not necessarily dating, but those too.) How
do we form online friendships (eg at discussion sites)? What makes us
think people aren't completely deceiving us? What about in face-to-face settings? Is that any different????
Trusting software part 2: how do we do this? What responsibility do vendors have?
We've seen that people form trust relationships based on a fairly
limited set of positive experiences (though a limited set of negatives,
as well). Sometimes it seems that software has a lot to live up to, in
that we trust it because we don't see bad experiences, but it is so easy for software to take advantage of us.
Email: who is responsible for keeping you safe from spam?
From embedded tags in html that reveal to the sender if you've viewed the email?
The images issue has been around for almost a decade; many email
vendors (and many freemail providers) have been reluctant to support
image-blocking until ~2006 or later. (There may be legitimate reasons for that: it may be perceived as a
hard-to-understand option.)
Browsers: browsers do all sorts of identification of themselves
when
they connect. Some of that is important; some is questionable. Most
browsers do not leak "private" information, though they do leak the
browser and OS you are using. Furthermore, this is hard to change!
Try http://www.jms1.net/ie.shtml,
with internet explorer. (Actually, go to jms1.net, and you get
redirected to the linked site if you're using IE. At one point there
was a page on the site that would simply make IE die.)
IE's entire ActiveX security model is broken; ActiveX is an approach to security where you trust any signed
software. Java, on the other hand, trusts any source, but runs the
software in a "sandbox" where it (hopefully) can't damage your machine.
Many browser PLUGINS do leak
some degree of private information. When you register a plugin, you
connect some personal information to that plugin. Also, some plugins
contact the mothership at regular intervals.
See http://spywareremove.com/remove-BrowserPlugins
SEVERAL media players (plugin or otherwise) may do some checking of
licenses or with the mothership before allowing play. Perhaps most players
from media companies behave this way.
What about compatibility lock-in?
To what extent should your OS be required to act on your behalf?
Palladium (aka Next-Generation Secure Computing Base):
locks you out of lots of things.
Trusted side: can't be reached by debuggers or viruses
Problem: machine now is autonomous; vendor has complete control. Do you trust your vendor?
Software updates, file compatibility,
From Windows Internals by Russinovich & Salomon:
In the Windows security model, any process running with a token containing the debug privilege (such as an administrator’s account) can request any access right that it desires to any other process running on the machine...
This logical behavior (which helps ensure that administrators will always have full control of the running code on the system) clashes with the system behavior for digital rights management requirements imposed by the media industry on computer operating systems that need to support playback of advanced, high-quality digital content such as BluRay and HD-DVD media. To support reliable and protected playback of such content, Windows uses protected processes. These processes exist alongside normal Windows processes, but they add significant constraints to the access rights that other processes on the system (even when running with administrative privileges) can request.
Will all software vendors eventually request that their applications be protected? It would sure put a damper on reverse-engineering!
SONY case has the rights of users front and center.
Sony's 2005 "XCP" copy-protection scheme : it installed a private CD driver
AND a hidden "r00tkit" (so named by Mark Russinovich, then of sysinternals.com) that conceals itself and hides some registry
keys.
Is this legit?
How does it compare with Palladium (secure-computing platform)?
Users do click on a license agreement. Were they sufficiently warned? (The software was apparently installed before the EULA came up; and in any event clearly the EULA did not explain just what was going on.)
Note from Mark Russinovich, via wikipedia:
There is now a virus/worm out that takes advantage of the sony kit.
Sony issued an uninstall utility that didn't actually uninstall the
software, but did make it visible. However, users had to supply an
email address, which by Sony's privacy policy was eligible for spamming.
This or a later removal kit allegedly ADDED a bad ActiveX control.
Jurisdiction online
jurisdictional issues: where did the sale take place? This one is very important for e-commerce.
Traditional three rules for lawsuit jurisdiction:
eHarmony lawsuits, for alleged discrimination against homosexuals
eHarmony is headquartered in California.
New Jersey lawsuit by Eric McKinley, 2005
California lawsuit by Linda Carlson, 2007
How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?
trademarks
libel/defamation
criminal law
laws governing sales: seller can sue in his home state/country
This is more or less universal.
Trademark scope
The Blue Note Cafe was located in NYC
The Blue Note, St Louis
(actually Columbia, MO) was a club, sued for trademark infringement by
Blue Note New York because they had a web site.
The case: Bensusan Restaurant Corp v King, 937 F. Supp. 295 (SDNY 1996)
The case was brought in federal district court, which decided there was
a lack of jurisdiction. Before that, however, note that the Missouri
club began using the name in 1980, and the NYC club did not register
the trademark until 1985. Note that, generally speaking, in this sort of situation the Missouri club retains the right to continue to use the name locally, while non-local use is reserved to the federal trademark-holder.
The district court did look at the "long-arm statute" of the "forum state", that is, New York. The New York law provides that
The State-court interpretation of this was that the act had to be committed in New York State, and the federal court deferred to this interpretation.
Another part of the NY state law did provide for jurisdiction when the other party was outside the state. However, the law also
The second circuit decided that Blue Note Missouri did not derive revenue from interstate commerce. End of case.
Blue Note St Louis had a mostly passive web site, although they did
advertise tickets online, to performances at the club itself. These
tickets had to be picked up at the Missouri box office; they were never mailed. Does this matter? Does it matter that the tickets were technically not sold over the internet, but instead you had to call a phone number?
This case was decided on jurisdictional grounds: NY State did not have jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.
This was a reasonable decision, but notice that it sure doesn't
offer many guarantees that your website won't infringe on a trademark
far far away.
Domain names
zippo v zippo, 1997
See http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
zippo lighters v zippo.com
trademark infringement filed under PA state law, but filed in federal district court.
PA "long arm" statute
zippo.com was a news service. They had email customers in PA, and two ISP customers.
(1) the defendant must have sufficient "minimum contacts" with the forum state,
(2) the claim asserted against the defendant must arise out of those contacts, and
(3) the exercise of jurisdiction must be reasonable.
Decided JURISDICTIONAL issue, plus others: PA did have jurisdiction
Note the gray area between a completely passive website, just an
"electronic billboard", and “the knowing and repeated transmission of
computer files over the Internet”. Usually the latter means
subscriber-specific information.
What about google.com? Should Illinois courts have jurisdiction?
Internationally, we already looked at LICRA v Yahoo, filed in France (and won by LICRA) for Yahoo's selling of Nazi memorabilia on its auction site in the US. Yahoo had initially agreed to comply with the French order, and then later changed its mind, and filed suit in the US asking that the US court declare that the french court did not have jurisdiction. That case ended in a draw (specifically, in a declaration that the case was not "ripe").
Suppose your bank makes an error. Where do you sue them? What if their only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank.
SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB
online. Some money disappeared. Soma lost their lawsuit in Utah,
because the court ruled that the fact that SCB had a website accessible
in Utah did not give the State of Utah personal jurisdiction.
[Michael Shamos]
NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions about whether US patent law extends to other countries.
Butler v Beer Across America
http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
BAA is an Illinois company selling beer over the internet. Butler's
minor son ordered beer, and it was delivered to him despite rules that
required an adult signature. Butler sued BAA under an Alabama law that
makes it illegal to sell alcohol to minors. In this case, Butler lost
her bid to get Alabama jurisdiction, though the case was transferred by
the Alabama court to Illinois.
Cybersquatting:
This is somewhat related to trademark disputes, but an essential component is the claim that one party doesn't really want the trademark, but just wants to "extort" money from the other side.
See http://www.networksolutions.com/legal/dispute-policy.jsp
Uniform Domain Name Dispute Resolution Policy -- ICANN
Also AntiCybersquatting Consumer Protection Act.
Some form of bad faith is usually necessary. But not always, if the
effect is to resemble a famous trademark and if you have good lawyers.
Sometimes the only "bad faith" or "intent to profit" is the offer of
the domain holder to settle the case by selling the domain to the
plaintiff.
All this is really about trademarks, not about jurisdiction. But the
"flat" namespace of the web makes all trademark disputes national, or
even global.
vw.net: virtual works
http://www.news.com/2100-1023-238287.html
Peculiarity: vw.net, a one-man company with James Anderson as
principle, offered to sell the name to volkswagen in 1998, and
threatened to auction the name off if volkswagen did not buy. This
triggers a presumption of domain-name squatting.
See http://vwx.com. Oops, I guess not; that site is now for sale. At one point, it was about Anderson's side of the case.
A possibly important point was that virtual works never used the abbreviation "vw" except in the domain name.
They (vw.net) lost.
Is this about cybersquatting? Or is it about the (lack of) rights of the Little Guy to use their trademark in good faith?
american.com: formerly owned by cisco, now a private 'zine (the airline is aa.com)
gateway 2000 v gateway.com
gateway.com was a computer consulting firm, run by
Alan Clegg. There was absolutely no evidence that Clegg foresaw that in
the year 2000 the name gateway2000.com would become obsolete, and
reserved gateway.com in anticipation of a domain sale.
yahoo.com v yahooka.com [which see]
Case was actually never filed
state-law libel and jurisdiction
A state court in Clayton v. Farb, 1998 Del. Super. LEXIS 175 (Del.
April 23, 1998), found that Delaware's long arm statute did NOT reach
the defendant, who posted allegedly libelous and slanderous false
statements about the plaintiff on his Internet site. The statute
provided for jurisdiction over tortious activity outside of Delaware
ONLY if defendant regularly conducted business in the state. The court
found that access in Delaware to defendant's Internet posting did not
constitute sufficient contact to support the exercise of personal
jurisdiction.
This case was decided on JURISDICTIONAL grounds: Delaware did not have jurisdiction
Laws governing libel:
Truth is a defense, but can be expensive to prove. If you say something
false about a public figure, they have to prove actual malice. If you
say something false about anyone else, all they have to prove is that
you were negligent.
We've seen Batzel v Cremers.
Cremers lost on the jurisdiction issue.
But what if the legal climate in the Netherlands was different for
libel lawsuits? What if in the Netherlands the burden of proof lay with
the plaintiff to prove something false, and Cremers was sued in a
jurisdiction (eg England, which still has pro-plaintiff libel laws)
where the burden of proof lay with the defendant?
Is a link to a defamatory site a form of defamation?
(It probably depends on the context)
Is a link to "illegal" software forbidden?
2600 case:
Universal v Reimerdes:
from wikipedia (http://en.wikipedia.org/wiki/Universal_v._Reimerdes)
In particular the Second Circuit ruled that linking on the Internet
happened so fast that it could be restrained in ways that might not be
constitutional for traditional media.
Also, apparently the defendants more or less admitted that they were providing links to deCSS for the purpose of making illegal DVD copies. Things might have been different had they linked for the purpose of research.
While we're at it, contemplate 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0. Is this a legal number?
Part of the issue with linking is that it can provide easy access to "forbidden" content such as circumvention software (deCSS) or copyrighted content (eg providing movie .torrents). For that part, providing the URL in "unlinked" form is probably also subject to regulation.
But the other part is conventional "deep links". These can be used
to view a given page out of context, or to view a given page in a
border provided by another page, or to avoid advertising. Should these
kinds of links be subject to prohibition?
Is linking to a site a form of using that site without authorization? Possibly leading to a claim of trespass-of-chattels?
What about linking to other sites:
bandwidth
trademark
avoidance of advertising
cussedness/control
search engines do this CONSTANTLY.
For a while this was a serious issue, but it seems to be flaming out. Lots of sites still have bizarre linking policies, though.
http://dontlink.com; alas, active site work stopped in 2002.
But see: http://www.americanexpress.com/shared/copyright/webrules.html, item 9, "Linked Internet Sites". Actually, this link is down as of Dec 2009, but it still appears on the americanexpress.com page!!
Symantec has a different approach: http://www.symantec.com/about/profile/policies/legal.jsp#linking (2009)
Symantec permits anyone to link to Symantec's web site subject
to the linker's compliance with the following terms and conditions:
A site that links to Symantec's web site:
Rules 1-8 are entirely reasonable.
Once upon a time, long long ago, in a previous century (1998), Microsoft
was hauled into federal court on antitrust charges. The original issue
was probably that in 1995 Netscape released a better browser, and then
a year later Internet Explorer was bundled in with Windows. Microsoft,
in fact, insisted
that IE be
the only browser on new machines, if a vendor wanted a bulk windows
license (individual windows licenses were and are prohibitively
expensive. (MS also famously insisted that to get a bulk license, you
had
to at least pay for Windows for all
the machines you sold, even if some of them were to be sold with a
non-Windows OS (what would that have been? Pre-gnome linux?).)
During the trial, MicroSoft submitted a video of a computer
allegedly underfunctioning because IE had been removed. Alas for MS,
the video -- presented as representing a single session -- had been
spliced.
From wikipedia:
MS's strategy was universally seen as a frontal assault on Windows,
because MS apparently had the idea that it was important to achieve
dominance in the "browser" market.
But if you're giving it away free, there is no market.
Once upon a time, some people at MS might
have had some notion that, after Netscape was broke, they could resume
charging for IE. That is the sort of behavior that antitrust law is
intended to prohibit. But a more likely idea was that, if MS controlled
the browser market, they would somehow "control" a crucial part of
e-commerce. And, to be sure, controlling the browser would mean that they could introduce new server features and be able to guarantee that the browsers out there would support that feature.
As it turned out, controlling the browser market brought about as
much control of e-commerce as controlling the cash-register paper-tape
market would have brought control over traditional brick-and-mortar
commerce.
MS famously lost their case, at the District Court level. For
several years they had to make it possible to remove IE from windows,
either by owners or resellers. This was also more or less the death
knell for MS's plan to "integrate" the browser with the desktop, ie, to
build IE into the desktop.
Did this make any sense?
A browser is now seen as the
reason people buy computers. It needs to come with the computer, if for
no other reason that you can't download anything without one. How would
I install Firefox, for example, if I couldn't use IE once to download it?
By 2001, the US DoJ was no longer asking for MS to separate its OS
and Application divisions (ie breaking up the company). Instead, they
asked for more mundane restrictions, such as fairer licensing terms.
MS is at it again, but this time not from a position of strength.
They may have recently tried to get the Wall Street Journal to remove
their news content from google, in exchange for payment. This is an
attempt to get people to have a reason to use bing, the new MS search
engine.
Does anyone use bing?
Here's a couple articles:
More seriously, is this a case of antitrust? Or is this a case of exclusive content licensing?
One issue is that google's use of the WSJ is considered to be fair
use. But google makes a heck of a lot of money by indexing this
content, from advertising. The estimate in the articles above is that
it's in the range of $10-15 million/year. This is sort of like the
youtube lawsuits, where the media companies really want a piece of the advertising market that youtube gets for displaying "their" videos.
The MS antitrust case should probably be compared to the ATT and IBM
antitrust cases. By the time the 1969 IBM case was dropped by the feds,
after thirteen years, it no
longer mattered. IBM no longer held market dominance. The ATT case led
to the breakup of ATT into the main ATT, now no longer in the local
phone business, and the "seven RBOCs". One of the RBOCs, SBC, has since
acquired most of the others, and the parent ATT itself (and has taken
on the ATT name). (I think the other separate RBOC is Qwest, formerly
US West).
This is probably as good as any a place to bring up Network
Neutrality. The idea there is whether ISPs should be allowed to
throttle content from content providers that don't pay bribes. Is that
antitrust? Or is it all about The Free Market?